flat assembler
Message board for the users of flat assembler.

Index > Windows > CreateThread with STARTUPINFO

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 25 Nov 2010, 12:09
If you are OK with your app working on Vista+, you might want to look at the newer Task Dialog interface. It has a bunch of callbacks, and there might be one that allows you to set its on-screen position.
Post 25 Nov 2010, 12:09
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 12:21
revolution
I know already how to use it but I'm lost in API's and tried to modify, modify but I fail everytime. I did lot of tests of course with using debugger but same result.
Post 25 Nov 2010, 12:21
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Nov 2010, 13:42
What exactly does "but I fail" mean? What fails in the modified program?

Most of APIs you call have some return value which indicate error (described at MSDN, just google "MSDN <api name>"). I suggest you trace your code, and check whether all API calls return without error. In case error is returned by one of them, OllyDbg tells you what error code it is, and then let us know.
Post 25 Nov 2010, 13:42
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 13:55
vid
Ahh..... Sorry for my dumb questions. I forgot that ollydbg shows last errors! I saw now and it's ERROR_INVALID_ID_PARAMETER. I'll try to fix this. Thanks for useful reply)
Post 25 Nov 2010, 13:55
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 14:09
Well, my problem is that I can't get Thread ID after calling CreateThread API. Instead of ID I was getting Thread Handle. I've tried to google but can't find how to get Thread ID from CreateThread. Is there any way to do that ? I saw at MSDN and it says last argument is returning thread identifier. I've used EDI register but seems it's not returning nothing and GetLastError shows nothing. any suggestions ? Someone, just watch code in debugger ! I'm getting very mad. I have no idea why its not returning Thread ID SadSad Here's code what I mean.
Code:
format PE GUI 4.0
include 'win32a.inc'
entry main
;entry startHook

;------------------------------------------- 
section '.text' code readable executable 
;=========================================== 
proc startHook
        invoke  GetCurrentThreadId                              ; set up hook
        invoke  SetWindowsHookEx,WH_CBT,CBTProc,0,eax           ;
        ;cmp     eax,0
        ;jz      WhatWentWrong?
        mov     [ebx],eax
        invoke  MessageBox,0,Mess,Title,MB_TOPMOST              ; positionable msgbox 
        invoke  UnhookWindowsHookEx,[ebx]                     ; clean up
endp
 ; WhatWentWrong?:
  ;      invoke  ExitProcess,0
;-------------------------------------------
proc main
     invoke CreateThread,NULL,0,MSGProc,NULL,NULL,edi
     ;invoke  GetCurrentThreadId
     invoke SetWindowsHookEx,WH_CBT,CBTProc,0,edi
     ;invoke UnhookWindowsHookEx,eax
     ret
endp
proc MSGProc
     invoke MessageBox,0,Mess,Title,MB_OK
     ret
endp
proc    CBTProc, nCode,wparam,lparam
        push    ebx esi edi
        cmp     [nCode],HCBT_ACTIVATE
        jne     finish
        invoke  SetWindowPos,[wparam],0,20,20,0,0,\             ; Xoffset,Yoffset,0,0
                SWP_NOSIZE Or SWP_NOZORDER Or SWP_NOACTIVATE
  finish: 
        xor     eax,eax                                         ; 0 = All ok 
        pop     edi esi ebx
        ret 
endp 
;------------------------------------------- 
section '.data' data readable writeable 
;=========================================== 
  Title                 db 'Hello',0 
  Mess                  db 'Put me where',10 
                        db 'you want ',0 
;align 8
  hHook                 dd ?
  tid                   dd ?
;------------------------------------------- 
section '.idata' import data readable writeable 
;===========================================

     library kernel32,'KERNEL32.DLL',\ 
             user32,'USER32.DLL' 

             include 'api\kernel32.inc' 
             include 'api\user32.inc'     
Post 25 Nov 2010, 14:09
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 25 Nov 2010, 15:11
The thread ID is an output parameter. Its the last parameter to CreateThread. You neeed to fill it with the offset of a dword where you want CreateThread to write the thread ID to.

Code:
lea eax,tid
invoke CreateThread,NULL,0,MSGProc,NULL,NULL,eax

...
section '.data' ...
tid dd ? <-- here
    
Post 25 Nov 2010, 15:11
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 15:23
comrade
EDI = 1 DWORD Smile I've also tried with tid but no result.. same problem.
Post 25 Nov 2010, 15:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 25 Nov 2010, 15:38
Overflowz: You have to initialise the values of EDI and EBX before you can use them. You can't simply start storing values to [EBX] without setting the value of EBX first. And where is your ret?
Code:
proc startHook
        invoke  GetCurrentThreadId                              ; set up hook
        invoke  SetWindowsHookEx,WH_CBT,CBTProc,0,eax           ;
        ;cmp     eax,0
        ;jz      WhatWentWrong?
        mov     [ebx],eax ;<---- What is the value of EBX?
        ;Where is the 'ret'?
endp    
All of these basic errors can easily be picked up with OllyDbg.
Post 25 Nov 2010, 15:38
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 15:50
revolution
I think you don't understand me. startHook function works fine. but main function fails. I mean this function fails and that what you wrote, works fine.
Code:
proc main
     invoke CreateThread,NULL,0,MSGProc,NULL,NULL,edi
     ;invoke  GetCurrentThreadId
     invoke SetWindowsHookEx,WH_CBT,CBTProc,0,edi
     ;invoke UnhookWindowsHookEx,eax
     ret
endp    
Post 25 Nov 2010, 15:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 25 Nov 2010, 15:53
You need to initialise the value of EDI. You will overwrite some random address without setting EDI first.

[edit]Déjà vu
Post 25 Nov 2010, 15:53
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 295
Alphonso 25 Nov 2010, 16:19
I think you'll find with exe SetWindowsHookEx needs to be called from the thread it's hooking. The documentation I've seen doesn't seem to mention this. Also be aware that your probably unhooking before the hook has been made. From your first code post.
Code:
proc main
     invoke CreateThread,NULL,0,MSGProc,NULL,NULL,tid
     ;invoke SetWindowsHookEx,WH_CBT,CBTProc,0,tid     ;needs to be in thread that
                                                       ;that is being hooked --v
     invoke MessageBox,0,Mess,Title,MB_OK              
     invoke UnhookWindowsHookEx,[hHook]

     ret
endp
proc MSGProc
     invoke SetWindowsHookEx,WH_CBT,CBTProc,0,[tid]    ;moved from main
     mov    [hHook],eax                                ;keep for unhooking
     invoke MessageBox,0,Mess,Title,MB_OK
     ret
endp                                               
Added the msgbox before unhook so it at least has a chance to work but probably want to add something better to make sure hook is finished with.
Post 25 Nov 2010, 16:19
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 16:54
revolution
I got it. but same result with "tid".
Alphonso
No luck. Btw I'm not using startHook function, I've just posted working proc and non-working proc. main is non-working and startHook = working. I've tried this code and failed too.
Code:
proc main
     invoke CreateThread,NULL,0,MSGProc,NULL,NULL,tid
     ;invoke  GetCurrentThreadId
     ;invoke SetWindowsHookEx,WH_CBT,CBTProc,0,edi
     ;invoke UnhookWindowsHookEx,eax
     ret
endp
proc MSGProc
     invoke SetWindowsHookEx,WH_CBT,CBTProc,0,[tid]
     mov [ebx],eax
     invoke MessageBox,0,Mess,Title,MB_OK
     invoke UnhookWindowsHookEx,ebx
     ret
endp
proc    CBTProc, nCode,wparam,lparam
        push    ebx esi edi
        cmp     [nCode],HCBT_ACTIVATE
        jne     finish
        invoke  SetWindowPos,[wparam],0,20,20,0,0,\             ; Xoffset,Yoffset,0,0
                SWP_NOSIZE Or SWP_NOZORDER Or SWP_NOACTIVATE
  finish: 
        xor     eax,eax                                         ; 0 = All ok 
        pop     edi esi ebx
        ret 
endp    
Post 25 Nov 2010, 16:54
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 17:10
Hey! I've done it! Here's working example but revolution, what I'm doing wrong can you fix please about initializing EBP register ? Here's commented code.
Code:
proc main
     mov ebp,esp
     sub esp,10
     invoke CreateThread,NULL,0,MSGProc,NULL,NULL,tid ;ebp instead of tid
     ;invoke  GetCurrentThreadId
     ;invoke SetWindowsHookEx,WH_CBT,CBTProc,0,edi
     ;invoke UnhookWindowsHookEx,eax
     ret
endp
proc MSGProc
     mov eax,[tid] ;[ebp] instead of [tid]
     invoke SetWindowsHookEx,WH_CBT,CBTProc,0,eax
     invoke MessageBox,0,Mess,Title,MB_OK
     invoke UnhookWindowsHookEx,ebx
     ret
endp    

with tid works fine, but with ebp doesn't. What I'm doing wrong ? Smile Thank you. also I really wanted to know what's difference between for example [eax] and eax. I've tried google but didn't knew what to search. Thanks for helping everyone.
Post 25 Nov 2010, 17:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 25 Nov 2010, 17:35
Using EBP won't work because it is meant to be local to each procedure only. You can't safely use it across procedures unless you are very very careful about how to enter and exit the procs.
Post 25 Nov 2010, 17:35
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 25 Nov 2010, 17:42
Overflowz,
Every instruction consists of the mnemonic and the various number of operands, separated with commas. The operand can be register, immediate value or a data addressed in memory, it can also be preceded by size operator to define or override its size (table 1.1). Names of available registers you can find in table 1.2, their sizes cannot be overridden. Immediate value can be specified by any numerical expression.

When operand is a data in memory, the address of that data (also any numerical expression, but it may contain registers) should be enclosed in square brackets or preceded by ptr operator. For example instruction mov eax,3 will put the immediate value 3 into the EAX register, instruction mov eax,[7] will put the 32-bit value from the address 7 into EAX and the instruction mov byte [7],3 will put the immediate value 3 into the byte at address 7, it can also be written as mov byte ptr 7,3.
As to ebp usage:
  • you didn't save it before overwriting with esp;
  • esp prefers to be dword-aligned;
  • you have to adjust esp back before ret (if you want to return to caller Wink);
  • if you pass ebp instead of tid in shown code, CreateThread() will overwrite return address in stack with thread ID.
Read more about calling conventions.
Post 25 Nov 2010, 17:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 25 Nov 2010, 18:01
Also, simply using ret to finish the main proc is not recommended. Instead you should consider using invoke ExitProcess,<return_value>.

If you don't use the win32a.inc macros then procedure entry and exit would usually be something like this:
Code:
abc: ;our proc
push ebp ;save ebp
mov ebp,esp ;set up the local variables pointer
sub esp,16 ;make space for 4 dwords
mov [ebp-4],something ;top-most variable
mov [ebp-16],something ;bottom-most variable
;...
mov esp,ebp
pop ebp
ret    
Post 25 Nov 2010, 18:01
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 19:31
Well, another fail error about UnhookWindowsHookEx.. When processing SetWindowsHookEx, it hooks but is not returning handle. Whats problem ?
Post 25 Nov 2010, 19:31
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 25 Nov 2010, 21:12
Overflowz,

Most WinAPI functions indicate reason of failure, use GetLastError(). It may be cryptic though.
Post 25 Nov 2010, 21:12
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 25 Nov 2010, 22:07
baldr
I did already but it says ERROR_SUCCESS. maybe because it's running in thread mode ? and please, can someone see that in debugger ? Cause I don't know why, its not displaying nothing after CreateThread API is called. and also, instead of ret, I've used ExitProcess and nothing worked. With ret works fine. Can any1 explain me ?
Post 25 Nov 2010, 22:07
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 26 Nov 2010, 00:02
Overflowz,

You're asking someone to see what in debugger? Provide complete source (unless you want us to guess what changes you've made to those posted here).

This works:
Code:
        include "Win32AX.Inc"
        .code
here:   invoke  SetWindowsHookEx, WH_CBT, CBTProc, 0, <invoke GetCurrentThreadId>
        mov     [hhook], eax
        invoke  MessageBox, HWND_DESKTOP, text, caption, MB_OK
        invoke  UnhookWindowsHookEx, [hhook]
        ret

proc CBTProc nCode, wParam, lParam
      .if [nCode]=HCBT_ACTIVATE
        invoke  SetWindowPos, [wParam], 0, 100, 100, 0, 0, SWP_NOSIZE or SWP_NOZORDER or SWP_NOACTIVATE
        xor     eax, eax
        ret
      .endif
        leave
        pop     eax     ; retrieve return address
        push    [hhook] ; insert argument
        push    eax     ; place return address back
        jmp     [CallNextHookEx]; tail-call
endp

        .data
text    db      "Hello, world!", 0
caption db      "Hook test", 0
        align   4
hhook   rd      1

        .end    here    
Post 26 Nov 2010, 00:02
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.